Tech

Sweeping Legislation Aims to Ban the Sale of Location Data

Person on phone

Sen. Elizabeth Warren and a group of other Democratic lawmakers have introduced a bill that would essentially outlaw the sale of location data harvested from smartphones. The bill also presents a range of other powers to the Federal Trade Commission (FTC) and individual victims to push back against the multibillion-dollar location data industry.

The move comes after Motherboard reported multiple instances in which companies were selling location data of people who visited abortion clinics, and sometimes making subsets of that data freely available. Such data has taken on a new significance in the wake of the Supreme Court’s looming vote on whether to overturn the protections offered by Roe v. Wade. The bill also follows a wave of reporting from Motherboard and others on various abuses and data sales in the location data industry writ large.

Videos by VICE

“Data brokers profit from the location data of millions of people, posing serious risks to Americans everywhere by selling their most private information,” Warren told Motherboard in a statement. “With this extremist Supreme Court poised to overturn Roe v. Wade and states seeking to criminalize essential health care, it is more crucial than ever for Congress to protect consumers’ sensitive data. The Health and Location Data Protection Act will ban brokers from selling Americans’ location and health data, rein in giant data brokers, and set some long overdue rules of the road for this $200 billion industry.”

Do you work in the location data industry? Do you know about any more abuses of location data? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Cosponsors of the bill are senators Ron Wyden, chair of the Senate Finance Committee; Patty Murray, chair of the Senate HELP Committee; Sheldon Whitehouse; and Bernie Sanders, chair of the Senate Budget Committee.

The Health and Location Data Protection Act is hugely ambitious in its scope, in that it will rather unambiguously “ban data brokers from selling or transferring location data and health data” barring some limited exceptions, according to a summary sheet of the bill shared with Motherboard by Warren’s staff. Those exceptions include activities that are compliant under HIPAA, the federal law used for protecting healthcare data, and First Amendment speech, the summary adds.

The bill itself more specifically says “it shall be unlawful for a data broker to sell, resell, license, trade, transfer, share, or otherwise provide or make available any of the following forms of data, whether declared or inferred, of an individual.” It then lists location and health data.

The bill defines location data as “data capable of determining the past or present physical location of an individual or an individual’s device.”

Zach Edwards, a privacy researcher who has followed the location and related industries closely, told Motherboard in an email after reviewing the bill that “This legislation would impact location data brokers and big tech companies who make location data for end users available to their partners in unsafe ways.” He added that the phrasing of the bill “makes it clear that organizations who collect location data would have a new responsibility to not expose that location unsafely to their own partners.”

The location data industry is a complex web of companies that fulfill different roles and which provide services to a wide range of clients and use cases. This industry includes ordinary apps that collect the data in the first place and may sell their users’ information directly to other firms; companies that create software development kits (SDKs), which are bundles of code that harvest the data and which they then sell the data onwards; data brokers who act simply as middlemen for other parts of the ecosystem; and companies that package the data into their own products and whose clients sometimes include law enforcement, military, and intelligence agencies.

Uses for location data vary include real estate companies sourcing it to determine how much foot traffic a plot of land may receive, hedge firms to predict if their investment will pay off, and local governments to work out transportation issues. Motherboard previously reported that the Centers for Disease Control and Prevention (CDC) sourced data on millions of phones to see if Americans followed COVID-19 lockdown orders.

Law enforcement and intelligence agencies, including Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), the Drug Enforcement Administration (DEA), and the Federal Bureau of Investigation (FBI) have all purchased surveillance products that ultimately rely on the harvesting, transfer, and sale of location data from smartphones. Sen. Wyden has proposed his own legislation, called the Fourth Amendment is Not for Sale Act, that would require agencies to obtain a warrant to get this sort of data. At the moment, agencies can bypass the need for a warrant by purchasing location information from a third party.

The industry is also home to startling abuses. Last year a Christian-aligned publication used location data to allegedly out a homosexual priest without his consent.

“This legislation would impact location data brokers and big tech companies who make location data for end-users available to their partners in unsafe ways.”

Beyond the ban on the sale of location data, the bill includes other mechanisms around enforcement, such as $1 billion in funds for the FTC over the next decade to perform its existing responsibilities and new ones around this law, and powers for the FTC and state attorneys general to sue to enforce the law. Individual people could also sue for damages and injunctions under the bill.

Because the bill goes far beyond banning just the sale of location data related to abortion clinics, and instead encompasses the sale of such data in general, it is likely to face fierce opposition from the massive location data industry. X-Mode, a company that Motherboard revealed was harvesting location data from a Muslim prayer app and which had U.S. military contractors among its clients, paid lobbying group Franklin Square Group $30,000 in 2020 (X-Mode has since rebranded as Outlogic, and was acquired by Digital Envoy in 2021). Venntel, a firm that The Wall Street Journal first reported provided location data based products to U.S. law enforcement, paid $160,000 in 2020, $320,000 in 2021, and so far $80,000 in 2022 on lobbying efforts. Venntel paid that money to lobbying firm Alpine Group.

Other lawmakers have recently proposed another piece of somewhat related legislation. The My Body My Data Act from congresswoman Sara Jacobs (CA-53) aims to stop the collection and transfer of reproductive health data. It also would give consumers the ability to launch lawsuits against companies that violated the practice, the Washington Post reported earlier this month. As the Post added, the bill is unlikely to become federal law given broad Republican opposition to expanding abortion protections and an evenly split Senate. Jacobs told the Post, “We think this can be a model for states as they are trying to figure out how they can best protect people’s right to abortion.”

Edwards, the privacy researcher, added, “This bill from Senator Warren is long overdue, and while it’s becoming clearer every day to Americans that their personal lives and decisions are for sale to the highest bidder, it’s clear that Senator Warren has a plan to turn the tables on data brokers, and Congress would be wise to pass some version of this important legislation.”

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.